Cyber Resilience

CVE-2026-34415

CriticalPublic PoC

Published: 22 April 2026

Published
22 April 2026
Modified
24 April 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0206 78.8th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-34415 is a critical-severity Incomplete List of Disallowed Inputs (CWE-184) vulnerability. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 21.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-34415 is an incomplete input validation vulnerability in the elFinder connector endpoint of Xerte Online Toolkits versions 3.15 and earlier. The issue arises from an incorrect regex pattern that fails to block PHP-executable extensions such as .php4, allowing potentially malicious file uploads.

Unauthenticated attackers can exploit this flaw in combination with separate authentication bypass and path traversal vulnerabilities to upload malicious PHP code, rename it with a .php4 extension, and execute arbitrary operating system commands on the server. The vulnerability has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity with high confidentiality, integrity, and availability impacts.

Mitigation is available through patches in the Xerte Online Toolkits repository, including commits 02661be88cc369325ea01b508086bde7fbfec805, 17e4f945fe6a3400fa88c01eda18c1075ee4a212, and 507d55c5e91bf9310b5b1c7fad8aebfef902ad23. The issue is tracked at https://github.com/thexerteproject/xerteonlinetoolkits/issues/1527, and a proof-of-concept for remote code execution is published at https://github.com/bootstrapbool/xerteonlinetoolkits-rce. Affected installations should apply these updates promptly.

EU & UK References

Vulnerability details

Xerte Online Toolkits versions 3.15 and earlier contain an incomplete input validation vulnerability in the elFinder connector endpoint that fails to block PHP-executable extensions .php4 due to an incorrect regex pattern. Unauthenticated attackers can exploit this flaw combined with authentication…

more

bypass and path traversal vulnerabilities to upload malicious PHP code, rename it with a .php4 extension, and execute arbitrary operating system commands on the server.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

The vulnerability enables unauthenticated exploitation of a public-facing web application (T1190) to upload and execute malicious PHP code functioning as a web shell (T1100) for arbitrary OS command execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-48557Shared CWE-184
CVE-2026-41934Shared CWE-184
CVE-2025-48732Shared CWE-184
CVE-2026-43532Shared CWE-184
CVE-2026-43566Shared CWE-184
CVE-2026-28363Shared CWE-184
CVE-2026-25951Shared CWE-184
CVE-2026-42590Shared CWE-184
CVE-2026-32017Shared CWE-184
CVE-2026-1773Shared CWE-184

Affected Assets

Xerte Online Toolkits
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the incomplete input validation vulnerability by enforcing proper validation of file extension inputs in the elFinder connector to block PHP-executable extensions like .php4.

prevent

Mitigates the vulnerability by requiring timely remediation of the specific flaw through application of available patches that fix the incorrect regex pattern.

prevent

Provides additional protection by restricting file upload inputs to only safe, non-executable extensions, complementing validation to prevent malicious PHP uploads.

References